EU Unveils Action Plan on Cybersecurity and AI: What It Means for AI-Risk and Compliance Teams
By Jean-Hugues Migeon
On July 7, 2026, the European Commission presented its Action Plan on Cybersecurity and Artificial Intelligence, a structured response to the risks (and opportunities) that advanced AI models pose for cybersecurity. Presenting the initiative to the European Parliament, EU digital chief Henna Virkkunen warned that “these advanced AI models can now build cyber exploits in minutes or hours at a fraction of the cost of vulnerability discovery by trained humans,” and that once weaponised, those vulnerabilities “endanger the security of our infrastructure and society.”
For AI-risk and compliance professionals, this is more than another EU communication. It is a concrete step toward building the enforcement infrastructure behind the AI Act and a clear signal that Brussels wants AI models evaluated under EU oversight, not left to vendor self-assessment alone.
What the Action Plan does
Building on the EU’s existing AI and cybersecurity legal framework, the plan brings together Member States, industry, and EU-level bodies around several concrete strands of work:
- A European blueprint for structured access. The Commission and ENISA (the EU Agency for Cybersecurity) will define a blueprint clarifying how public authorities and private companies can obtain structured, transparent access to advanced AI models for cybersecurity purposes – access that today is often granted to a limited number of organisations with little visibility into the process.
- Pre-market model evaluation. The EU AI Office will work with specialised model evaluators to assess and mitigate the risks posed by the most advanced AI models before they reach the EU market, under the AI Act.
- Defensive guidance for organisations. The plan sets out guidance to help companies defend against AI-powered cyberthreats and speed up the patching of exploitable vulnerabilities.
- A critical infrastructure readiness assessment. The Commission will assess how prepared critical infrastructure operators are for AI-accelerated cyberattacks.
- An EU Grand Challenge on AI for cybersecurity. A dedicated initiative to bring together companies, researchers, and public bodies to develop AI-based defensive tools.
Why this matters for AI governance
The plan lands against a telling backdrop. According to reporting on the announcement, one of Anthropic’s most advanced models was able to identify exploitable vulnerabilities in highly sensitive US government systems within hours – prompting (and then seeing lifted) US export controls – while European authorities and ENISA only secured restricted testing access to that model through a negotiated access programme. That dependency is precisely what the new blueprint for structured access is meant to address, even as MEPs pointed out that Europe’s deeper issue is a lack of frontier AI infrastructure and companies of its own, not just model access.
The more consequential point for compliance teams is the pre-market evaluation strand. Whether AI Act obligations should require independent evaluation before a model launches in the EU – rather than relying on a developer’s own testing, or on non-regulatory bodies such as the UK AI Security Institute, which leading labs have so far favoured – remains contested by industry. The direction of travel, however, is unmistakable: from the AI Act’s risk-based obligations (see our related piece on the AI Act and GDPR) to this new cybersecurity-specific evaluation capacity, the EU is steadily building out the machinery to test and verify AI systems itself, rather than take assurances at face value.
The practical challenge: proving your AI systems can withstand this scrutiny
An evaluation regime only has teeth if organisations can produce timely, credible evidence when asked – not just for frontier model developers, but for every organisation that deploys AI systems with any exposure to cybersecurity risk, from customer-facing chatbots to internal copilots. As we noted when covering the recent rise of LLMs as a new attack surface, most organisations still lack a continuous, evidence-based view of which AI systems they run, what risks each one carries, and how those risks map to the frameworks that apply to them. Tools like ExplAIn offer a quick first read on whether the AI tools you already use would hold up to that kind of scrutiny.
This is the operating model behind Anove’s insAIght platform: helping risk, compliance, and audit teams maintain a continuously updated, audit-ready view of their AI landscape against frameworks including the EU AI Act, ISO/IEC 42001, and the NIST AI RMF – so that as the EU builds out model-evaluation and cybersecurity-readiness expectations, the evidence needed to meet them is already in hand.
The takeaway
Brussels has moved from acknowledging that advanced AI reshapes the cyber threat landscape to building the institutional capacity to evaluate and respond to it directly. For AI-risk and compliance teams, the message is consistent with what we’re seeing everywhere from Illinois to Brussels: self-reported assurance is losing ground to independently verified, continuously maintained evidence. Organisations that get ahead of that shift now will be far better placed when the EU’s evaluation and readiness expectations become concrete requirements.
Learn more
- insAIght – Anove’s AI governance and risk platform for continuous, audit-ready compliance.
- ExplAIn – check whether the AI tools you use are compliant.
- Illinois Enacts First-in-Nation AI Safety Audit Law: What It Means for GRC Teams – related reading on the shift from self-assessment to independent audit.
- LLMs as a New Attack Surface: what does it mean for AI governance? – related reading on AI-driven cybersecurity risk.
Book a demo to see how insAIght keeps your AI governance audit-ready, across the EU AI Act, its cybersecurity Action Plan, and every other framework on your radar.